Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Used reports/dashboards

PickleRick
SplunkTrust
SplunkTrust
‎10-25-2021 06:46 AM

I was wondering...

Can I get (probably from _internal) which reports and dashboards were executed by users? I supposed that saved searches spawned by scheduler should be possible to either find in configuration (by checking their schedule) or by tracking scheduler logs. But ad-hoc ones?

Use case is - users created many different dashboards and reports and we want to clean the ones not used anymore. But first of course we need to find them.

Labels (1)
Labels
0 Karma
Reply

somesoni2
Revered Legend
‎10-25-2021 11:25 AM

This app might be useful for what you're looking for (and some more):

https://splunkbase.splunk.com/app/3541/

Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-25-2021 01:10 PM

Hmm... Seems useful. Will have to give it a try. Thanks.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-25-2021 07:41 AM

After some fiddling (that's typical - I ask a question, then start looking for myself ;-)) it seems that I found a similar solution. I don't do the timecharting but just count but I approach it from a bit different side.

Instead of listing all URLs and only matching some of them. I firstly build a list of defined dashboards and then look for them in the access log.

 

index=_internal source="/opt/splunk/var/log/splunk/splunkd_ui_access.log" 
    [| rest /services/data/ui/views 
| where isDashboard=1
| fields title
| eval uri_path="/*/app/*/".title 
| table uri_path] 
| stats count by uri_path

 

 

But the general idea is similar. Thanks.

EDIT: Oh, and your search lists users, not the dashboards themselves. 😉

0 Karma
Reply

ashvinpandey
Contributor
‎10-25-2021 07:16 AM

@PickleRick Please try the below query:

index="_internal" source=*access.log user!="-" */app/* 
| rex "\/en\-US\/app\/(?<app>\w+)\/(?<dashboard>\w+)" 
| search dashboard!="job_management" dashboard!="dbinfo" dashboard!="*en-US" dashboard!="search" dashboard!="home" dashboard!="alerts" dashboard!="alert" dashboard!="dashboards" dashboard!="reports" dashboard!="report" dashboard!="overview" 
| search dashboard="*"
| bucket span=1m _time 
| stats count sparkline max(_time) as lastaccess earliest(_time) as StartTime by user 
| eval avg=count/5
| convert ctime(lastaccess) ctime(StartTime) 
| sort -lastaccess 
| rename  user as "User" lastaccess as "Last accessed on" count as "No. of times accessed" avg as "Weekly Avg." StartTime as "First accessed on"

Also if this reply helped you an up vote will be appreciated

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...